RAND Designs Concept for a Computer Network and Database to Help Intelligence Community "Connect the Dots"

For Release

November 17, 2004

The RAND Corporation has designed a concept for a new computer network and database that could help the U.S. intelligence community “connect the dots” by quickly identifying and interpreting the clues of a possible terrorist attack.

A RAND study issued today announced the development of the concept for the Atypical Signal Analysis and Processing (ASAP) network and database that could serve as a central clearinghouse for intelligence data.

The study outlines how the ASAP design could use some of the same “mental rules” that intelligence analysts use to quickly analyze huge volumes of information to identify unusual and suspicious activity—similar to the way Internet search engines like Google find information by searching vast amounts of data.

“An information search that could take dozens of intelligence analysts days to complete could be carried out within hours by ASAP,” said John Hollywood, a RAND researcher who is the report’s lead author. “This is like giving someone who is looking for a needle in a haystack an incredibly powerful magnet.”

“Using this design, analysts could make better sense of the enormous amounts of information they receive every day,” Hollywood added. “This tool could boost the efficiency of analysts in identifying terrorist-related activities, discerning the links between them and detecting trends.”

The RAND study is titled “Out of the Ordinary: Finding Hidden Threats by Analyzing Unusual Behavior.” Other authors of the report are Diane Snyder, Kenneth McKay and John Boon, all of RAND.

If ASAP moves from a concept to reality, the ASAP database would be comprised of:

  • Information about people, places, events, and financial transactions already suspected to be relevant to terrorist activities. Because privacy protection is an important consideration, the ASAP network would work with a small and restricted data set consisting solely of intelligence and homeland security information. In contrast to some plans that automatically include personal data, ASAP would search such records only if the suspicion is great enough to warrant a subpoena under current U.S. law.
  • Information about infrastructure, commerce, and industries vital to the U.S. economy and national security.
  • Intelligence and government databases, along with publicly available data supplemented by reports from governmental analysts and officials.
  • Information describing patterns of suspicious behavior, as well as information describing patterns of “ordinary” behavior that need not be investigated further.

The RAND study says constructing the ASAP computer network and database would be a complicated and long-term process that would take years. The study makes three key short-term recommendations:

  • Homeland security officials should create and distribute profiles of common threats and status quo conditions of possible target industries such as international commerce and transportation. These profiles provide a systematic and comprehensive approach to educating analysts and field professionals.
  • Electronic bulletin boards should be established where the intelligence community could report suspicious behavior and learn of any similar accounts to help detect and link possible threats. A tool should be developed to organize postings on the bulletin boards according to categories of threats.
  • Search engines should be created to match the results of search queries to look for connections and similar patterns of posted messages.

ASAP would be a tool that intelligence analysts would use to increase the efficiency and thoroughness of the initial process of data collection, and would work to synthesize and interpret continuous streams of information.

A network of computers would then use the database to process and filter the raw data. The network would look for out-of-the-ordinary signals that deviate from typical patterns of behavior and might indicate terrorist activity—such as target casing, training, clandestine communications, smuggling and buying weapons.

Computers would then examine the data that was flagged for scrutiny to identify and prioritize information, using factors such as how “out of the ordinary” the data is, and how related it is to information and patterns pertaining to terror attacks. The computers would develop and test scenarios that direct intelligence analysts to the most relevant and important discoveries for further investigation.

Here is an example of how ASAP could work: Harbor officials report the sudden arrival of 18 fishing boats, all registered to the same foreign company. By itself, this means little. However, the officials note that—based on routine inspection—there is no increase in fishing demand in the area, the boats have extremely powerful engines for fishing vessels, the boats give off an odd smell, and the captains have no prior experience with fishing or sailing. Then other import-export officials note the shipment of the high-speed boats by the same foreign company—but that the boats appear at a port other than where the company said they would be, and the company declares 24 boats, not 18. ASAP would detect these unusual observations, detect the relationships between them and alert analysts to investigate further.

System designers would work with analysts in depth to develop the rules and patterns an ASAP network would use to identify unusual and suspicious data. Because analysts would tell the ASAP network what to look for, it could perform the same initial, highly repetitive review functions that analysts must do today—only much more quickly and more thoroughly. The analysts would be free to focus on the more detailed examinations demanding their expertise.

According to RAND researchers, one of the design’s strengths is its ability to continually incorporate fresh discoveries as well as older information that had previously gone unnoticed. Another strength is that ASAP applies rules and patterns to filter data in multiple steps, teasing out the most significant findings over time, rather than relying on a single data-mining tool. These strengths would give an ASAP network greatly increased analytic power.

In today’s security environment, there are an increased number of small adversaries that are more elusive and scattered across the globe than in the Cold War era. Today’s enemies also use many different strategies, and this makes solely studying established patterns of suspicious behavior counterproductive, according to researchers. As a result, the rules used in ASAP will emphasize finding violations of ordinary behavior patterns, not just established patterns of suspicious behavior.

RAND carried out the study with independent research and development funds provided by the Department of Defense. The National Defense Research Institute at RAND prepared the report. The institute is a federally funded research and development center supported by the Office of the Secretary of Defense, the Joint Staff, the unified commands, and the defense agencies.

Printed copies of “Out of the Ordinary: Finding Hidden Threats by Analyzing Unusual Behavior”, (ISBN: 0-8330-3520-7) can be ordered from RAND’s Distribution Services (order@rand.org or call toll-free in the United States 1-877-584-8642).

About RAND

RAND is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous.